debfranca
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

handle the docker service restart after the iptables service one.

This commit is contained in:
Andrea Dell'Amico 2018-03-19 15:49:43 +01:00
parent 7d8faf3cfa
commit a7f966b26e
2 changed files with 87 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
iptables/handlers/main.yml
View File

@ -20,7 +20,3 @@
command: /etc/init.d/iptables-persistent stop command: /etc/init.d/iptables-persistent stop
ignore_errors: true ignore_errors: true
- name: Restart fail2ban
service: name=fail2ban state=restarted enabled=yes
when: has_fail2ban

166
iptables/tasks/main.yml
View File

@ -1,91 +1,99 @@
--- ---
- name: Install the needed iptables packages - block:
apt: pkg={{ item }} state=installed - name: Install the needed iptables packages
with_items: apt: pkg={{ item }} state=installed
- iptables with_items:
- iptables-persistent - iptables
tags: iptables - iptables-persistent
- name: Create the /etc/iptables directory when needed - name: Create the /etc/iptables directory when needed
file: dest=/etc/iptables state=directory owner=root group=root mode=0755 file: dest=/etc/iptables state=directory owner=root group=root mode=0755
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
tags: iptables
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04 template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640 with_items:
with_items: - rules.v4
- rules.v4 when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 notify: Start the iptables service on Ubuntu < 12.04
notify: Start the iptables service on Ubuntu < 12.04
tags: [ 'iptables', 'iptables_rules' ]
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items: with_items:
- rules.v4 - rules.v4
- rules.v6 - rules.v6
when: is_precise when: is_precise
register: install_iptables_rules_precise register: install_iptables_rules_precise
tags: [ 'iptables', 'iptables_rules' ]
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items: with_items:
- rules.v4 - rules.v4
- rules.v6 - rules.v6
when: is_trusty when: is_trusty
register: install_iptables_rules_trusty register: install_iptables_rules_trusty
tags: [ 'iptables', 'iptables_rules' ]
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7 - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items: with_items:
- rules.v4 - rules.v4
- rules.v6 - rules.v6
when: is_debian7 when: is_debian7
register: install_iptables_rules_deb7 register: install_iptables_rules_deb7
tags: [ 'iptables', 'iptables_rules' ]
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8 - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items: with_items:
- rules.v4 - rules.v4
- rules.v6 - rules.v6
when: is_debian8 when: is_debian8
register: install_netfilter_rules register: install_netfilter_rules
tags: [ 'iptables', 'iptables_rules' ]
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04 - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items: with_items:
- rules.v4 - rules.v4
- rules.v6 - rules.v6
when: when:
- ansible_distribution == 'Ubuntu' - ansible_distribution == 'Ubuntu'
- ansible_distribution_major_version >= '16' - ansible_distribution_major_version >= '16'
register: install_netfilter_rules register: install_netfilter_rules
tags: [ 'iptables', 'iptables_rules' ]
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes service: name=iptables-persistent state=restarted enabled=yes
notify: Restart fail2ban register: restart_related
when: ( install_iptables_rules_precise | changed ) when: install_iptables_rules_precise is changed
tags: [ 'iptables', 'iptables_rules' ]
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes service: name=iptables-persistent state=restarted enabled=yes
notify: Restart fail2ban register: restart_related
when: ( install_iptables_rules_trusty | changed ) when: install_iptables_rules_trusty is changed
tags: [ 'iptables', 'iptables_rules' ]
- name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes service: name=iptables-persistent state=restarted enabled=yes
notify: Restart fail2ban register: restart_related
when: ( install_iptables_rules_deb7 | changed ) when: install_iptables_rules_deb7 is changed
tags: [ 'iptables', 'iptables_rules' ]
- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
service: name=netfilter-persistent state=restarted enabled=yes
register: restart_related
when: install_netfilter_rules is changed
- name: Restart fail2ban after an iptables restart
service: name=fail2ban state=restarted enabled=yes
when:
- has_fail2ban
- restart_related is changed
- name: Check if the docker service is present
stat: path=/usr/bin/dockerd
register: dockerd_installed
when: restart_related is changed
- name: Restart docker after an iptables restart
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related is changed
- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
service: name=netfilter-persistent state=restarted enabled=yes
notify: Restart fail2ban
when: ( install_netfilter_rules | changed )
tags: [ 'iptables', 'iptables_rules' ] tags: [ 'iptables', 'iptables_rules' ]